What is the purpose of the aek_id variable at https://airvpn.org/entry?

[wintermute1912 6]

When I type https://airvpn.org into any browser it first redirects to https://airvpn.org/entry with two query string variables, aek_v and aek_id, before proceeding to the main airvpn page. What is the purpose of these variables and where do they come from?

[OpenSourcerer 1435]

You may well know that it's a DDoS protection mechanism. You may also be as far as knowing that aek_v is version (currently 14, as seen in your screenshot; your blur is ineffective, I'm afraid) and aek_url is where to redirect the browser after a successful check.

Now, the /entry webpage has some JavaScript code there which I didn't read too closely. But it suggests that the browser is to run some calculations, the result of which will be checked against what the server calculated. The aek_id might identify the calculation on the server against which the result of the browser is checked. If they match, you may pass. I assume this checks whether JavaScript runs and whether it runs correctly (as in, it's not a dummy/stub) on the client.

DDoS against web servers is usually not done by normal browsers but by automated programs mimicking them. As such, they don't usually run JavaScript. So those bots keep attacking the shell of a clam (that checking server) and the pearl inside is safe (AirVPN forums).

Edit: I found a related Stack Exchange question about CloudFront's protection mechanism (the infamous Checking your browser, you will be redirected in five seconds page).

Edited ... by giganerd
Stack Exchange

[wintermute1912 6]

On 12/29/2019 at 12:11 PM, giganerd said:

You may well know that it's a DDoS protection mechanism. You may also be as far as knowing that aek_v is version (currently 14, as seen in your screenshot; your blur is ineffective, I'm afraid) and aek_url is where to redirect the browser after a successful check.

Now, the /entry webpage has some JavaScript code there which I didn't read too closely. But it suggests that the browser is to run some calculations, the result of which will be checked against what the server calculated. The aek_id might identify the calculation on the server against which the result of the browser is checked. If they match, you may pass. I assume this checks whether JavaScript runs and whether it runs correctly (as in, it's not a dummy/stub) on the client.

DDoS against web servers is usually not done by normal browsers but by automated programs mimicking them. As such, they don't usually run JavaScript. So those bots keep attacking the shell of a clam (that checking server) and the pearl inside is safe (AirVPN forums).

Edit: I found a related Stack Exchange question about CloudFront's protection mechanism (the infamous Checking your browser, you will be redirected in five seconds page).

Thank you for the reply. It didn't occur to me that it could be a DDoS protection mechanism but further investigation of the (beautifully obfuscated) JS certainly points in that direction.

It was only my intention to the obscure the aek_id with the blur btw but as it turns out I needn't have bothered as this variable is different with each browser instance. I can't claim to understand exactly what the entry JS does but it seems the aek_id is purely arbitrary. My only concern was it was static and unique and somehow generated from identifying elements of my browser.

All good!

[OpenSourcerer 1435]

2 hours ago, wintermute1912 said:

as this variable is different with each browser instance

Well, I had a weird issue on an old Waterfox profile where I wouldn't pass the test. The site was reloading continuously and everytime it did it would generate a new ID. Also, AirVPN is on a sticky tab, and after a few days its history would contain all the security checks I passed in the past. The ID is always different. That's how I know.